Using vecs-cli to manage VMware Certificate Endpoint Store (VECS) instances

May 28, 2015 by: Sean Whitney in: Certificates 4 Comments

VMware introduced a brand new certificate architecture to ease the process of implementing certificates in vSphere 6.0. I have outlined the new architecture changes and the process of Replacing Certificates in vSphere 6.0 already, but I wanted to go through some of the VECS-CLI commands for anyone that was interested in diving deeper into the certificate architecture.
 
The VMware Certificate Endpoint Store (VECS) is is a repository for SSL certs and private keys. VECS is a requirement for vCenter Server, so you must use it, unlike the VMware Certificate Authority (VMCA), which is optional. Regardless of your topology for vSphere 6.0, VECS will run on every Platform Services Controller (PSC) and Management node (vCenter Server) whether it’s embedded or not. There are a few different types of default stores in VECS.
 

Default Stores

 
Machine SSL Store (MACHINE_SSL_CERT)
This store is used by the Reverse HTTP (RHTTP) proxy. vSphere 6 services now communicate through this proxy which makes things a lot easier as you can replace this certificate alone and all the endpoints communicate through this trusted ssl certificate.

Trusted root store (TRUSTED_ROOTS and TRUSTED_ROOT_CRLS)
This store contains all of your trusted root certificates.

Solution User Stores (machine, vpxd, vpxd-extension, vsphere-webclient, sms)
There are five solution users in vSphere 6 – machine, vpxd, vpxd-extensions, sms, and vSphere web client. As with previous version of vSphere, these certificates need to be unique in some way. Typically the Distinguished Name (DN) will have a different Organizational Unit (OU), for example FQDN-vCenter. These certificates are used for authentication with Single Sign-On (SSO). The machine endpoint is used by the logging service, component manager, and license server; the vpxd soltuion user is for vCenter Server; the vpxd-extensions solution user is used by Auto Deploy, and Inventory Service; the sms certificate is for storage monitoring service, and the vsphere-webclient solution is used for – you guessed it – the vSphere Web Client.

Sphere Certificate Manager Utility backup store (BACKUP_STORE)
This store creates a backup of the most recent state of the certificates that you can restore. Unfortunately, at this point, it will only create one restore step, but it is still useful.

Other
There is also an option to create your own stores. I can’t think of any use cases at this point other than third party solutions using VECS, but the option is there in case you can think of a good reason to create a new store.
 

vecs-cli.exe

 
Let’s get into the good stuff – Command Line! vecs-cli allows you to list, delete, and create stores and entries in the store, modify permissions of a store, get certificates and private keys from a store, and refresh VECS to snyc with vmdir. Let’s go through some examples.
 
VECS-CLI is located in the following directories, based on if you are using Windows, or the appliance.

Windows
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

SUSE Linux
/usr/lib/vmware-vmafd/bin/vecs-cli

To see the full list of commands, you can use the ‘help’ argument.
 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe help

 
To see a list of your current stores, you can run the following command.
 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vpxd
vpxd-extension
vsphere-webclient
SMS
BACKUP_STORE

 
Once you have a list of all of your current stores, you can output the certificates and private keys in that store by running the following commands. I’ll grab the certificate information from vpxd. It states that the alias is optional, but I had to specify it to get it work.
 
Note: I will be truncating my certificate information.
 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe entry getcert --store vpxd --alias vpxd 
-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIJAO1QMuJgzg01MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
BAYTAlVTMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
BWxvY2FsMQ0wCwYDVQQKEwRQU0MxMQswCQYDVQQDEwJDQTAeFw0xNTA0MDMyMTIw

 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe entry getkey --store vpxd --alias vpxd 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDUgddhYHgNxTAR
HRrayI3uHyRNpl5LNGepM3xjw1u/bT4BqHJD7/HVgIpPxayZM/f010CG7PbMM72T
etAUuNPf1pQFyf2MY3RtLPnR5ptWXXQKSREp16/zapg2cMyfv5gjrOs5WxsjOEjo

 
Creating and deleting stores in VECS is pretty easy. To do so, run the following commands.
 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store create --name NewStore 
Successfully created store [NewStore]

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vpxd
vpxd-extension
vsphere-webclient
SMS
BACKUP_STORE
NewStore

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store delete --name NewStore
Warning: This operation will delete store [NewStore]
Do you wish to continue? Y/N [N]
Y
Successfully deleted store [NewStore]

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vpxd
vpxd-extension
vsphere-webclient
SMS
BACKUP_STORE

 
If you would like to grant read or write permissions for specific users, you can use the following commands. If you would like to revoke access, you can change ‘grant’ to ‘revoke’
 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store get-permissions --name vpxd 

PERMISSIONS FOR STORE: [vpxd]
OWNER : SYSTEM
USER            ACCESS
vmware-vpx-workflow     read

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store permission --name vpxd --user administrator --grant write
Permissions for store [vpxd] set  successfully

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store get-permissions --name vpxd 
PERMISSIONS FOR STORE: [vpxd]
OWNER : SYSTEM
USER            ACCESS
Administrator   write
vmware-vpx-workflow     read

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store permission --name vpxd --user administrator --revoke write 
Permissions for store [vpxd] set  successfully

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store get-permissions --name vpxd 
PERMISSIONS FOR STORE: [vpxd]
OWNER : SYSTEM
USER            ACCESS
vmware-vpx-workflow     read

 
It’s also possible to create or delete entries in the stores. You will need to have created a certificate and private key and need to provide the paths to each file.
 

vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.key

 
Finally, you can force a refresh of information from vmdir. This command is pretty simple.
 

c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe force-refresh

 
Hopefully this helps everyone who is interested in playing around with VECS get started. If you would like more information, you can review the vecs-cli Command Reference
 

Posted by:

Sean Whitney

4 Comments

  1. sourav Mukherjee -  June 28, 2015 - 8:09 pm 189

    Please put some article on Vsphere 6 different type of Vmotion.

    Reply
    • Sean Whitney -  July 8, 2015 - 9:56 am 195

      Hi Sourav,

      Good idea, I will get to it when I get the chance, thank you for the suggestion!

      Sean

      Reply
  2. bioh4xor -  January 9, 2018 - 12:42 pm 626

    vecs-cli.exe entry getcert –store MACHINE_SSL_CERT –alias MSSLCERT
    vecs-cli failed. Error 4312: Possible errors:
    LDAP error: Unknown (extension) error
    Win Error: The object identifier does not represent a valid object.

    any ideas please? thanks!

    Reply
    • Rob -  February 27, 2020 - 8:28 am 691

      Just got the same error! Did you ever find a fix?

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Sean Whitney

SPONSORS

Back to Top